User input is checked and filtered automatically by PHP-Nuke. For this purpose the functions filter_text and check_html are used. filter_text checks and replaces
bad words, then calls check_html, which in turn checks for HTML tags and strips them completely off, if the second parameter is "nohtml".

Table 16-1 shows all modules that call filter_text, together with the line the call is made on. You can see that filter_text is used to
filter

check_html, in turn, is not only called from filter_text, but also in its own right. Table 16-2 shows all modules that call check_html and
the line it is called on. You can see that check_html is called to check the HTML input in

the query string in the Downloads, Encyclopedia, Web Links and Search sections

the title, text, reviewer, URL text and comments in the Reviews module

check_html uses the $AllowableHTML array that is defined in config.php. The idea is that only the tags that are included in the $AllowableHTML array should be allowed. However, even if you
explicitly allow the img tag in $AllowableHTML, it will be stripped away by check_html (and by filter_text, which also calls it). The line that does this is